This is the start of a 4 part document series with 2 appendix sections explaining how to configure Intel AMT for a McAfee ePO Deep Command environment.
If you are new to McAfee ePO Deep Command or are looking for an index of resources available on the McAfee Community, please click here
If you are unable to complete Intel AMT configuration via the methods explained in the McAfee ePO Deep Command Product Guide, this document series explains alternative approaches which may be more suitable for your environment.
McAfee ePO Deep Command provides out of band management for systems with Intel® Active Management Technology (AMT). Hardware manufacturers ship systems with Intel AMT in an unconfigured state. In order to establish trust between these systems and your environment, Intel AMT must be configured in a secure manner with certificates.
McAfee requires that an internal self-signed TLS webserver certificate be obtained and assigned to each Intel AMT system during the configuration process. The process of requesting and applying the TLS webserver certificate can be automated via software from Intel and an internal Microsoft Certificate Authority. The issued TLS webserver certificate is stored in the Intel AMT firmware on the system and is used to encrypt all communications between Intel AMT and your ePO server.
McAfee recommends that you also use an SSL certificate to enable remote configuration of your Intel AMT systems. Configuring your Intel AMT systems in this way ensures that they are in Admin Control Mode, which gives ePO complete control of the Intel AMT functionalities without requiring user consent for any of the operations.
However, using an SSL certificate and doing remote configuration adds complexity to the tasks of configuring Intel AMT and deploying Deep Command. As a result, you may want to explore other configuration methods if you are testing the product or doing a proof of concept deployment. These methods are much faster and easier because they do not require the use of an SSL certificate issued by a public certificate authority.
The table below summarizes main points of consideration in selecting an Intel AMT Configuration approach. The “STD” notation refers to the standard configuration method within McAfee ePO Deep Command version 1.5. The “ALT” notation refers to alternative configuration options as explained in this series.
|Compatible with AMT Configuration Policy in McAfee ePO||Yes||Yes||Yes||No||No|
|Recommended for Testing and Early Proof-of-Concept||No||Yes||Yes||Yes||Yes|
|Apply configuration over wireless||No||No||No||Yes||Yes|
|Requires Physical Touch||No||Yes||Yes||No|
|Requires SSL Remote Configuration Certificate||Yes|
|Requires internal Microsoft Certificate Authority (CA)||Yes||Yes||Yes||Yes||Yes|
|User consent required for redirection operations||No||No||No||Yes||No|
|Recommend for production deployments||Yes||No||No||Yes||Yes|
|Supported Intel AMT versions (Compliant with McAfee ePO Deep Command)||AMT 4.1 and above||AMT 4.1 and above||AMT 4.1 and above||AMT 6.2 and above||all versions|
Per the chart above, Host Based Configuration is recommended for enterprise customers testing McAfee ePO Deep Command. While this method requires user consent for some operations, it is the fastest and easiest way to setup the product in a way that closely mimics a production deployment.
In addition to Host Based Configuration, the focus of this document series is to demonstrate alternative methods in obtaining the desired end state: Intel® AMT configured with an embedded TLS certificate. This end state is compatible with McAfee ePO Deep Command. The screenshots shared and guidance provided utilize McAfee ePO Deep Command v1.5.
In all cases, a core principle must be achieved: establishing initial trust between Intel® AMT firmware and the configuration software.
Readers of this and associated documents must have a foundational understanding of Intel AMT, tools and approaches to configuring Intel AMT, and how to use McAfee ePO.
For the purposes of this document series, Intel® Setup and Configuration Service (SCS) is the primary configuration software used. More information and a download of the latest Intel® SCS release is available at http://www.intel.com/go/scs. The Intel SCS 8 Deployment Guide available via that site demonstrates many of the concepts presented in this article. An animated training of the Intel SCS interface and configuration concepts is available at http://www.intel.com/content/www/us/en/processors/vpro/vpro-activation-training- animation.html
For a base understanding of Intel® AMT configuration in a McAfee ePO Deep Command v1.5 environment, please refer to Section 3 of the current product documentation.
For the purposes of this material, the Intel AMT configuration profile created for Intel SCS is called “AMTprofile” as shown below. Details on how to use the Intel SCS console to generate the profile are beyond the scope of this document.
Discover Intel® AMT Capable Systems
The first step regardless of the approaches taken is to detect what clients have Intel® AMT within your environment. Use the Intel AMT Discovery Plugin which is provided free and must be installed before the ePO Deep Command framework extension is added to your environment.
The Deep Command Discovery & Reporting Dashboard shown below indicates that four Intel AMT capable clients were found. All Intel AMT capable systems are in a starting state of unconfigured.
Selecting an Alternative Configuration Method
Using the four sample systems shown in the discovery, four alternative methods will be demonstrated with key advantages and disadvantages as noted below.
The intent is to complete the configuration to be compliant with McAfee ePO Deep Command without using a publicly issued remote configuration certificate.
In addition to the four alternative configuration methods, Appendix A explains how to setup and utilize a Microsoft Standalone Certificate Authority. For testing and certain production deployment environments, use of a Standalone CA may be required to avoid dependencies in setting up or communicating with an Enterprise CA. The key disadvantage of a Standalone CA for the purposes of a McAfee ePO Deep Command trial or deployment is that the public root certificate is not automatically replicated to other servers in the domain. More information is provided in Appendix A.
Appendix B explains how to create a custom package using the McAfee ePO Enterprise Deployment Kit (EEDK). The custom package will be used in Parts 3 and 4 of this document series to deliver files and execute commands outside of the McAfee ePO Deep Command policy for Intel AMT configuration.
The list below includes links to supporting documents on alternative configuration methods for Intel AMT in a McAfee ePO environment. Only one method and corresponding document must be utilized.
To assist in making a selection, a basic set of recommendations:
- For initial proof-of-concept or pilot testing
- For production testing and deployment
- If Intel AMT is already configured but not compliant with McAfee ePO – choose Delta Configuration (specifically sub-section "Determine if TLS Enabled and Supported" and "Define a Delta Configuration Profile"
- If all detected Intel AMT systems are version 7.x or higher, choose Host Based Configuration
- Otherwise, obtain a valid 3rd party remote configuration certificate and choose Remote Configuration Certificate
Select the alternative method that works best for your environment and purposes
- Pre-Shared Key Configuration – See Part 2 for more information
- Advantage: Use the McAfee ePO Deep Command v1.5 AMT configuration policy
- Disadvantages: Must touch each system. Must be configured via a wired LAN connection with client IP assigned via DHCP.
- Custom Self-Signed Remote Configuration Certificate – See Part 2 for more information
- Advantage: Use the McAfee ePO Deep Command v1.5 AMT Configuration policy
- Disadvantages: Must touch each system. Must have a Microsoft Enterprise CA. Must be configured via a wired LAN connection with client IP assigned via DHCP.
- Host Based Configuration – See Part 3 for more information
- Advantages: Configuration of Intel AMT as easy as a software deployment package. Systems can be configured via wired, wireless, or VPN connection. Systems with a static IP address can be configured.
- Disadvantages: Not compliant with McAfee ePO Deep Command v1.5 AMT configuration policy. Works only with Intel AMT 7.x or higher systems. Specific usage scenarios will require user consent (Boot to BIOS, Boot\Reboot from Image, and McAfee KVM Viewer)
- Delta Configuration post initial configuration – See Part 4 for more information
- Advantage: Demonstrates how you can move a non-compliant configuration to compliant with McAfee ePO Deep Command. The Delta Configuration can occur via wired, wireless, or VPN. Systems can be configured with a static IP address.
- Disadvantages: Requires a 2-step process and is not compliant with McAfee ePO Deep Command v1.5 AMT Configuration policy
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries